Do internal intranet websites need to be secure?
Solution 1
If the content on your network is sensitive and there are users who do not have the privileges required to view some or all of that content then you will want to use SSL on your intranet. Fortunately setting up SSL on your Intranet isn't difficult and you can use a self signed certificate since there is no need to verify your company's identy.
Solution 2
Whenever you use windows passwords to logon you should also use SSL. (This is more vital if you allow basic auth) This is to avoid privilege escalation both for your own users and as a multilayered security strategy.
Solution 3
If you have open wireless access for your visitors on the same network, and it's not served over https then it's easy for visitors to intercept other people's network traffic to your intranet.
Related videos on Youtube
v01d
I AM HERE G+: https://plus.google.com/114132678747122742656/posts Baseball anyone? http://jsfiddle.net/maniator/K3wCM/embedded/result/ Baseball v2 anyone? https://blipit.net/ WOF anyone? http://jsfiddle.net/maniator/XP9Qv/embedded/result/ Maybe some snake? https://snace.herokuapp.com Or even minesweeper? https://mineweeper.herokuapp.com I am am usually here I am writing here Neal @ Miaou #SOreadytohelp
Updated on September 18, 2022Comments
-
v01d over 1 year
The question is in the title.
Does an internal site need to have
https
security?For example we have an internal site that handles our client's license keys -- do we need for that to be secure since it is on our internal network?
(The website is secured with IIS and windows user validation) -
v01d almost 13 yearsThe website is secured with IIS and windows user validation (but no https)
-
John Conde almost 13 yearsThat will limit who can get into the network but won't prevent packet sniffing on the network.
-
v01d almost 13 yearsbut the only people who can get to the network is people who have direct access to our wired network
-
John Conde almost 13 years@Neal, Just because the users may have a higher level of trust versus users of a public facing website doesn't mean sensitive content shouldn't be protected as much as possible. Lots of hacking and theft occur from within a company's own walls, virtual or real.
-
Nelson over 12 years100% agree. We have a WordPress installation on our intranet which authenticates against Active Directory, so it's protected with SSL.